% cat master.cfg
# -*- python -*-
# ex: set syntax=python:
# This is a sample buildmaster config file. It must be installed as
# 'master.cfg' in your buildmaster's base directory.
# This is the dictionary that the buildmaster pays attention to. We also use
# a shorter alias to save typing.
c = BuildmasterConfig = {}
####### BUILDSLAVES
# The 'slaves' list defines the set of recognized buildslaves. Each element is
# a BuildSlave object, specifying a unique slave name and password. The same
# slave name and password must be configured on the slave.
from buildbot.buildslave import BuildSlave
c['slaves'] = [BuildSlave("example-slave", "pass")]
# 'protocols' contains information about protocols which master will use for
# communicating with slaves.
# You must define at least 'port' option that slaves could connect to your master
# with this protocol.
# 'port' must match the value configured into the buildslaves (with their
# --master option)
c['protocols'] = {'pb': {'port': 9989}}
####### CHANGESOURCES
# the 'change_source' setting tells the buildmaster how it should find out
# about source code changes. Here we point to the buildbot clone of pyflakes.
from buildbot.changes.gitpoller import GitPoller
c['change_source'] = []
c['change_source'].append(GitPoller(
'git://github.com/buildbot/pyflakes.git',
workdir='gitpoller-workdir', branch='master',
pollinterval=300))
####### SCHEDULERS
# Configure the Schedulers, which decide how to react to incoming changes. In this
# case, just kick off a 'runtests' build
from buildbot.schedulers.basic import SingleBranchScheduler
from buildbot.schedulers.forcesched import ForceScheduler
from buildbot.changes import filter
c['schedulers'] = []
c['schedulers'].append(SingleBranchScheduler(
name="all",
change_filter=filter.ChangeFilter(branch='master'),
treeStableTimer=None,
builderNames=["runtests"]))
c['schedulers'].append(ForceScheduler(
name="force",
builderNames=["runtests"]))
####### BUILDERS
# The 'builders' list defines the Builders, which tell Buildbot how to perform a build:
# what steps, and which slaves can execute them. Note that any particular build will
# only take place on one slave.
from buildbot.process.factory import BuildFactory
from buildbot.steps.source.git import Git
from buildbot.steps.shell import ShellCommand
factory = BuildFactory()
# check out the source
factory.addStep(Git(repourl='git://github.com/buildbot/pyflakes.git', mode='incremental'))
# run the tests (note that this will require that 'trial' is installed)
factory.addStep(ShellCommand(command=["trial", "pyflakes"]))
from buildbot.config import BuilderConfig
c['builders'] = []
c['builders'].append(
BuilderConfig(name="runtests",
slavenames=["example-slave"],
factory=factory))
####### STATUS TARGETS
# 'status' is a list of Status Targets. The results of each build will be
# pushed to these targets. buildbot/status/*.py has a variety to choose from,
# including web pages, email senders, and IRC bots.
c['status'] = []
from buildbot.status import html
from buildbot.status.web import authz, auth
authz_cfg=authz.Authz(
# change any of these to True to enable; see the manual for more
# options
auth=auth.BasicAuth([("pyflakes","pyflakes")]),
gracefulShutdown = False,
forceBuild = 'auth', # use this to test your slave once it is set up
forceAllBuilds = False,
pingBuilder = False,
stopBuild = False,
stopAllBuilds = False,
cancelPendingBuild = False,
)
c['status'].append(html.WebStatus(http_port=8010, authz=authz_cfg))
####### PROJECT IDENTITY
# the 'title' string will appear at the top of this buildbot
# installation's html.WebStatus home page (linked to the
# 'titleURL') and is embedded in the title of the waterfall HTML page.
c['title'] = "Pyflakes"
c['titleURL'] = "https://launchpad.net/pyflakes"
# the 'buildbotURL' string should point to the location where the buildbot's
# internal web server (usually the html.WebStatus page) is visible. This
# typically uses the port number set in the Waterfall 'status' entry, but
# with an externally-visible host name which the buildbot cannot figure out
# without some help.
c['buildbotURL'] = "http://localhost:8010/"
####### DB URL
c['db'] = {
# This specifies what database buildbot uses to store its state. You can leave
# this at its default for all but the largest installations.
'db_url' : "sqlite:///state.sqlite",
}

% lxc-create -h
usage: lxc-create -n <name> [-f configuration] [-t template] [-h] [fsopts] -- [template_options]
fsopts: -B none
fsopts: -B lvm [--lvname lvname] [--vgname vgname] [--fstype fstype] [--fssize fssize]
fsopts: -B btrfs
flag is not necessary, if possible btrfs support will be used
creates a lxc system object.
Options:
name : name of the container
configuration: lxc configuration
template : lxc-template is an accessible template script
The container backing store can be altered using '-B'. By default it
is 'none', which is a simple directory tree under /var/lib/lxc/<name>/rootfs
Otherwise, the following option values may be relevant:
lvname : [for -lvm] name of lv in which to create lv,
container-name by default
vgname : [for -lvm] name of vg in which to create lv, 'lxc' by default
fstype : name of filesystem to create, ext4 by default
fssize : size of filesystem to create, 500M by default
for template-specific help, specify a template, for instance:
lxc-create -t debconf -h

$ diff -u munin.conf.org munin.conf
--- munin.conf.org 2014-06-16 15:57:47.764255564 +0000
+++ munin.conf 2014-06-17 01:30:28.002698093 +0000
@@ -5,10 +5,10 @@
# must be writable by the user running munin-cron. They are all
# defaulted to the values you see here.
#
-#dbdir /var/lib/munin
-#htmldir /var/www/html/munin
-#logdir /var/log/munin
-#rundir /var/run/munin
+dbdir /var/lib/munin
+htmldir /var/www/html/munin
+logdir /var/log/munin
+rundir /var/run/munin
# Where to look for the HTML templates
#
@@ -37,7 +37,7 @@
# Since 2.0, munin-graph has been rewritten to use the cgi code.
# It is single threaded *by design* now.
#
-graph_strategy cron
+graph_strategy cgi
# munin-cgi-graph is invoked by the web server up to very many times at the
# same time. This is not optimal since it results in high CPU and memory
@@ -66,7 +66,7 @@
# - moving to CGI for HTML means you cannot have graph generated by cron.
# - cgi html has some bugs, mostly you still have to launch munin-html by hand
#
-html_strategy cron
+html_strategy cgi
# munin-update runs in parallel.
#

インストール

$ yum info mysql-community-server
Available Packages
Name : mysql-community-server
Arch : x86_64
Version : 5.6.19
Release : 2.el6
Size : 52 M
Repo : mysql56-community
Summary : A very fast and reliable SQL database server
URL : http://www.mysql.com/
License : Copyright (c) 2000, 2014, Oracle and/or its affiliates. All
: rights reserved. Under GPLv2 license as shown in the Description
: field.
Description : The MySQL(TM) software delivers a very fast, multi-threaded,
: multi-user, and robust SQL (Structured Query Language) database
: server. MySQL Server is intended for mission-critical, heavy-load
: production systems as well as for embedding into mass-deployed
: software. MySQL is a trademark of Oracle and/or its affiliates
:
: The MySQL software has Dual Licensing, which means you can use
: the MySQL software free of charge under the GNU General Public
: License (http://www.gnu.org/licenses/). You can also purchase
: commercial MySQL licenses from Oracle and/or its affiliates if
: you do not wish to be bound by the terms of the GPL. See the
: chapter "Licensing and Support" in the manual for further info.
:
: The MySQL web site (http://www.mysql.com/) provides the latest
: news and information about the MySQL software. Also please see
: the documentation and the manual for more information.
:
: This package includes the MySQL server binary as well as related
: utilities to run and administer a MySQL server.

$ diff -u poudriere.conf.org poudriere.conf
--- poudriere.conf.org 2014-05-25 15:21:34.000000000 +0900
+++ poudriere.conf 2014-05-25 15:27:09.000000000 +0900
@@ -10,6 +10,7 @@
# poudriere.
#
#ZPOOL=tank
+ZPOOL=zpool_raidz
### NO ZFS
# To not use ZFS, define NO_ZFS=yes
@@ -26,7 +27,7 @@
#
# Also not that every protocols supported by fetch(1) are supported here, even
# file:///
-FREEBSD_HOST=_PROTO_://_CHANGE_THIS_
+FREEBSD_HOST=ftp://ftp.jp.FreeBSD.org
# By default the jails have no /etc/resolv.conf, you will need to set
# REVOLV_CONF to a file on your hosts system that will be copied has
@@ -136,6 +137,7 @@
#
# Cleanout the restricted packages
# NO_RESTRICTED=yes
+NO_RESTRICTED=yes
# By default MAKE_JOBS is disabled to allow only one process per cpu
# Use the following to allow it anyway

% dpkg -i mysql-apt-config_0.1.5-1debian7_all.deb
$ cat /etc/apt/sources.list.d/mysql.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb http://repo.mysql.com/apt/ stable mysql-5.6

RPM作成

pulledpork

% diff -u pulledpork.conf.org pulledpork.conf

--- pulledpork.conf.org 2014-05-06 20:09:14.774046736 +0900
+++ pulledpork.conf 2014-05-06 23:26:04.791047913 +0900
@@ -16,14 +16,15 @@
# i.e. rule_url=http://x.y.z/|a.tar.gz|123,http://z.y.z/|b.tar.gz|456
# note that the url, rule file, and oinkcode itself are separated by a pipe |
# i.e. url|tarball|123456789,
-rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|<oinkcode>
+rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|123456789
# NEW Community ruleset:
-rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
+#rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community
# NEW For IP Blacklisting! Note the format is urltofile|IPBLACKLIST|<oinkcode>
# This format MUST be followed to let pulledpork know that this is a blacklist
-rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
+#rule_url=http://labs.snort.org/feeds/ip-filter.blf|IPBLACKLIST|open
# URL for rule documentation! (slow to process)
-rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
+#rule_url=https://www.snort.org/reg-rules/|opensource.gz|<oinkcode>
#rule_url=https://rules.emergingthreatspro.com/|emerging.rules.tar.gz|open
# THE FOLLOWING URL is for etpro downloads, note the tarball name change!
# and the et oinkcode requirement!
@@ -69,14 +70,14 @@
# rules? (this value has changed as of 0.4.0, previously we copied
# all of the rules, now we are creating a single large rules file
# but still keeping a separate file for your so_rules!
-rule_path=/usr/local/etc/snort/rules/snort.rules
+rule_path=/etc/snort/rules/snort.rules
# What path you want the .rules files to be written to, this is UNIQUE
# from the rule_path and cannot be used in conjunction, this is to be used with the
# -k runtime flag, this can be set at runtime using the -K flag or specified
# here. If specified here, the -k option must also be passed at runtime, however
# specifying -K <path> at runtime forces the -k option to also be set
-# out_path=/usr/local/etc/snort/rules/
+out_path=/etc/snort/rules/
# If you are running any rules in your local.rules file, we need to
# know about them to properly build a sid-msg.map that will contain your
@@ -84,10 +85,10 @@
# files that are local to your system here by adding a comma and more paths...
# remember that the FULL path must be specified for EACH value.
# local_rules=/path/to/these.rules,/path/to/those.rules
-local_rules=/usr/local/etc/snort/rules/local.rules
+local_rules=/etc/snort/rules/local.rules
# Where should I put the sid-msg.map file?
-sid_msg=/usr/local/etc/snort/sid-msg.map
+sid_msg=/etc/snort/sid-msg.map
# New for by2 and more advanced msg mapping. Valid options are 1 or 2
# specify version 2 if you are running barnyard2.2+. Otherwise use 1
@@ -110,11 +111,11 @@
sorule_path=/usr/local/lib/snort_dynamicrules/
# Path to the snort binary, we need this to generate the stub files
-snort_path=/usr/local/bin/snort
+snort_path=/usr/sbin/snort
# We need to know where your snort.conf file lives so that we can
# generate the stub files
-config_path=/usr/local/etc/snort/snort.conf
+config_path=/etc/snort/snort.conf
##### Deprecated - The stubs are now categorically written to the single rule file!
# sostub_path=/usr/local/etc/snort/rules/so_rules.rules
@@ -128,7 +129,7 @@
# FreeBSD-7-3, FreeBSD-8-1
# OpenBSD-4-8
# Slackware-13-1
-distro=FreeBSD-8.1
+distro=RHEL-6-0
####### This next section is optional, but probably pretty useful to you.
####### Please read thoroughly!

$ yum info snort
Name : snort
Arch : x86_64
Epoch : 1
Version : 2.9.6.1
Release : 1
Size : 15 M
Repo : installed
Summary : An open source Network Intrusion Detection System (NIDS)
URL : http://www.snort.org/
License : GPL
Description : Snort is an open source network intrusion detection system, capable of
: performing real-time traffic analysis and packet logging on IP networks.
: It can perform protocol analysis, content searching/matching and can be
: used to detect a variety of attacks and probes, such as buffer overflows,
: stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts,
: and much more.
:
: Snort has three primary uses. It can be used as a straight packet sniffer
: like tcpdump(1), a packet logger (useful for network traffic debugging,
: etc), or as a full blown network intrusion detection system.
:
: You MUST edit /etc/snort/snort.conf to configure snort before it will work!
:
: There are 5 different packages available. All of them require the base
: snort rpm (this one). Additionally, you may need to chose a different
: binary to install if you want database support.
:
: If you install a different binary package /usr/sbin/snort should end up
: being a symlink to a binary in one of the following configurations:
:
: plain Snort (this package, required)
:
: Please see the documentation in /usr/share/doc/snort-2.9.6.1 for more
: information on snort features and configuration.

$ vi spec/vsftpd/vsftpd_spec.rb
require 'spec_helper'
describe package('vsftpd') do
it { should be_installed }
end
describe service('vsftpd') do
it { should be_enabled }
it { should be_running }
end
describe port(21) do
it { should be_listening }
end
describe file('/etc/vsftpd/vsftpd.conf') do
it { should be_file }
it { should be_mode 600 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
its(:content) { should match /anon_root=\/var\/vsftpd/ }
end
describe file('/var/vsftpd') do
it { should be_directory }
it { should be_mode 755 }
it { should be_owned_by 'root' }
it { should be_grouped_into 'root' }
end

sparse volume

Though not recommended, a "sparse volume" (also known as "thin provisioning") can be created by specifying the -s option to the zfs create -V command, or by changing the reservation after the volume has been created. A "sparse volume" is a volume where the reservation is less then the volume size. Consequently, writes to a sparse volume can fail with ENOSPC when the pool is low on space. For a sparse volume, changes to volsize are not reflected in the reservation.

-s
Creates a sparse volume with no reservation. See volsize in the Native Properties section for more information about sparse volumes.

-W host:port
Requests that standard input and output on the client be forwarded to host on
port over the secure channel. Implies -N, -T, ExitOnForwardFailure and
ClearAllForwardings and works with Protocol version 2 only.

# vi /var/lib/tftpboot/wheezy/etc/rc.local
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
/var/scripts/os_install.sh
exit 0

# ngircd -V
ngIRCd 20.2-IPv6+IRCPLUS+SSL+SYSLOG+TCPWRAP+ZLIB-amd64/portbld/freebsd9.1
Copyright (c)2001-2013 Alexander Barton (<alex@barton.de>) and Contributors.
Homepage: <http://ngircd.barton.de/>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

# mkdir ngircd_ssl
# cd ngircd_ssl
# openssl dhparam -out dhparams.pem 2048.
# openssl req -newkey rsa:2048 -x509 -keyout server-key.pem -out server-cert.pem -days 3650
writing new private key to 'server-key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

# ngircd -t
ngIRCd 20.2-IPv6+IRCPLUS+SSL+SYSLOG+TCPWRAP+ZLIB-amd64/portbld/freebsd9.1
Copyright (c)2001-2013 Alexander Barton (<alex@barton.de>) and Contributors.
Homepage: <http://ngircd.barton.de/>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Reading configuration from "/usr/local/etc/ngircd.conf" ...
OK, press enter to see a dump of your server configuration ...

# vi dnsmasq.d/dnsmasq-avalilable/dns.conf
# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv
# Add local-only domains here, queries in these domains are answered
# from /etc/hosts or DHCP only.
local=/localnet/
# Set this (and domain: see below) if you want to have a domain
# automatically added to simple names in a hosts-file.
expand-hosts
# Set the domain for dnsmasq. this is optional, but if it is set, it
# does the following things.
# 1) Allows DHCP hosts to have fully qualified domain names, as long
# as the domain part matches this setting.
# 2) Sets the "domain" DHCP option thereby potentially setting the
# domain of all systems configured by DHCP
# 3) Provides the domain part for "expand-hosts"
domain=localnet

Puppet server

# vi /etc/sysconfig/puppet
# The puppetmaster server
#PUPPET_SERVER=puppet
# If you wish to specify the port to connect to do so here
PUPPET_PORT=8139
# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500

# vi /etc/puppet/manifests/files/puppet
# The puppetmaster server
PUPPET_SERVER=puppetsrv.localnet
# If you wish to specify the port to connect to do so here
#PUPPET_PORT=8140
# Where to log to. Specify syslog to send log messages to the system log.
PUPPET_LOG=/var/log/puppet/puppet.log
# You may specify other parameters to the puppet client here
#PUPPET_EXTRA_OPTS=--waitforcert=500
PUPPET_EXTRA_OPTS="--listen --no-client"

# rpm -i http://mirror.symnds.com/distributions/fedora-epel/6/x86_64/epel-release-6-8.noarch.rpm
# yum -y install cobbler pykickstart dhcp
# cobbler --version
Cobbler 2.2.3
source: ?, ?
build time: Mon Jun 18 01:04:49 2012
# cobbler check
The following are potential configuration items that you may want to fix:
1 : The 'server' field in /etc/cobbler/settings must be set to something other than localhost, or kickstarting features will not work. This should be a resolvable hostname or IP for the boot server as reachable by all machines that will use it.
2 : For PXE to be functional, the 'next_server' field in /etc/cobbler/settings must be set to something other than 127.0.0.1, and should match the IP of the boot server on the PXE network.
3 : some network boot-loaders are missing from /var/lib/cobbler/loaders, you may run 'cobbler get-loaders' to download them, or, if you only want to handle x86/x86_64 netbooting, you may ensure that you have installed a *recent* version of the syslinux package installed and can ignore this message entirely. Files in this directory, should you want to support all architectures, should include pxelinux.0, menu.c32, elilo.efi, and yaboot. The 'cobbler get-loaders' command is the easiest way to resolve these requirements.
4 : change 'disable' to 'no' in /etc/xinetd.d/rsync
5 : since iptables may be running, ensure 69, 80/443, and 25151 are unblocked
6 : debmirror package is not installed, it will be required to manage debian deployments and repositories
7 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
8 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them
Restart cobblerd and then run 'cobbler sync' to apply changes.
# /etc/init.d/cobblerd start
# vi /etc/xinetd.d/rsync
disable = no
# vi /etc/xinetd.d/tftp
disable = no
# vi /etc/cobbler/settings
server: 192.168.0.1
manage_dhcp: 1
next_server: 192.168.0.254 <- Gateway
# vi /etc/cobbler/dhcp.template
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.254;
option domain-name-servers 8.8.8.8;
option subnet-mask 255.255.255.0;
range dynamic-bootp 192.168.0.200 192.168.0.250;
filename "/pxelinux.0";
default-lease-time 21600;
max-lease-time 43200;
next-server $next_server;
}
# /etc/init.d/iptables stop
# /etc/init.d/xinetd restart
# /etc/init.d/cobblerd restart
# cobbler get-loaders
# cobbler sync
# cobbler import --path=rsync://ftp.jaist.ac.jp/pub/Linux/CentOS/6.4/os/x86_64/ --name=CentOS6.4_x86_64
# cobbler sync

Cobblerを使いインストールするとデフォルトのパスワードはcobblerとなっている。

変更する場合は

# cobbler check
The following are potential configuration items that you may want to fix:
1 : debmirror package is not installed, it will be required to manage debian deployments and repositories
2 : The default password used by the sample templates for newly installed machines (default_password_crypted in /etc/cobbler/settings) is still set to 'cobbler' and should be changed, try: "openssl passwd -1 -salt 'random-phrase-here' 'your-password-here'" to generate new one
3 : fencing tools were not found, and are required to use the (optional) power management features. install cman or fence-agents to use them
Restart cobblerd and then run 'cobbler sync' to apply changes.

conf.py 修正

extensions=['tinkerer.ext.blog','tinkerer.ext.disqus','japanesesupport','withgithub']# Add templates to be rendered in sidebar herehtml_sidebars={"**":["recent.html","categories.html","tags.html","searchbox.html"]}